Notification of Details of Use and Provision of Personal Information
(1) "Personal information controller who meets the criteria prescribed by Presidential Decree" in the main clause of Article 20-2 (1) of the Act means any of the following personal information controllers; in such cases, the number of data subjects prescribed in the following subparagraphs shall be calculated based on the daily average during the immediately preceding three months as of the end of the previous year:
- A person who processes sensitive information or personally identifiable information of at least 50 thousand data subjects;
- A person who processes personal information of at least one million data subjects.
(2) A data subject to be given notification under Article 20-2 (1) of the Act shall be a data subject except the following:
- A data subject who expresses his or her intention to refuse notification;
- Where a personal information controller processes the personal information of executive officers and employees under his or her control to perform his or her work, the relevant data subject;
- Where a personal information controller processes the personal information of executive officers or employees of other public institutions, corporations, or organizations or individuals, including their contact information, to perform his or her work, the relevant data subject;
- A data subject of personal information that is used or provided under provisions otherwise provided in statutes or for the purpose of complying with legal obligations;
- A data subject of personal information that is used or provided by public institutions for the purpose of performing their work prescribed in statutes, regulations, etc.
(3) Information to be notified to data subjects under Article 20-2 (1) of the Act shall be as follows:
- The purpose of collecting and using personal information and the particulars of the personal information collected and used;
- A third party provided with personal information, the purpose of providing the personal information, and the particulars of the personal information provided: Provided, That excluded herefrom shall be information provided under Articles 13, 13-2, and 13-4 of the Protection of Communications Secrets Act and Article 83 (3) of the Telecommunications Business Act.
(4) Notification under Article 20-2 (1) of the Act shall be given at least once a year by any of the following methods:
- A method by which a data subject can easily confirm the details of notification, such as in writing, electronic mail, telephone, or text message;
- Giving notification in the course of providing goods or services through a notification window so that a data subject can easily recognize the relevant details (limited to where notification is given regarding the methods of accessing the information system through which the details of the use and provision of personal information are confirmed under Article 20-2 (1) of the Act).